With a notably sharply worded opinion, the Fifth Circuit recently vacated over $4.3 million in penalties levied against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) by the Department of Health and Human Services (HHS) for a series of alleged HIPAA violations.
The case, University of Texas M.D. Anderson Cancer Center vs. U.S. Department of Health and Human Services, stems from three separate incidents that occurred between 2012 and 2013. In two instances, M.D. Anderson workforce members lost unencrypted protected health information (PHI), while the third incident involved the theft of a faculty member’s laptop also containing unencrypted PHI. After investigating these occurrences, HHS fined M.D. Anderson a total of $4,348,000, which M.D. Anderson contested through the agency’s administrative review process. On review, both the administrative law judge (ALJ) and the Departmental Appeals Board upheld the penalties.
On appeal, the Fifth Circuit concluded that HHS’s civil monetary penalties order against M.D. Anderson was arbitrary, capricious, and contrary to law, vacating the penalties and pointedly criticizing the agency’s actions and arguments in this matter. The court identified “at least four independent reasons” for its conclusion.
First, the court dissected HIPAA’s encryption rule, which contains an addressable implementation specification for covered entities to implement a mechanism to encrypt and decrypt electronic PHI (ePHI). Emphasizing that the rule merely requires “a mechanism,” without specifying a required level of effectiveness, the court found that M.D. Anderson indisputably had such a mechanism in place, including use of an “IronKey” to encrypt devices, email encryption, and a policy requiring employees to encrypt sensitive data, along with other safeguards. The court explained that the failure of three employees to follow the encryption policy, or M.D. Anderson’s failure to enforce the policy rigorously enough, did not equate to M.D. Anderson not having an encryption mechanism in place, as required by HIPAA and as alleged by the government:
The regulation requires only “a mechanism” for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of “all systems containing ePHI.”…Nor does it say anything about how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be. The regulation simply says “a mechanism.” M.D. Anderson undisputedly had “a mechanism,” even if it could’ve or should’ve had a better one. So M.D. Anderson satisfied HHS’s regulatory requirement, even if the Government now wishes it had written a different one.
Next, the court turned to HIPAA’s rule prohibiting a covered entity from disclosing PHI unless permitted to do so under HIPAA’s Privacy Rule, where “disclosure” is defined to mean the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. The court interpreted this definition to require: (1) an affirmative act (whether knowing or unknowing) by the covered entity; (2) the actual receipt of the information by someone; and (3) the disclosure of the information to a party “outside” the covered entity. In striking HHS’s interpretation of “disclosure” the court noted:
HHS never explains how someone could “disclose” a secret without actually making it known to someone. Nor can we imagine a way.
The court dismissed the agency’s arguments that such an interpretation would make it “difficult for HHS to enforce the Disclosure Rule if it must show that ePHI was disclosed to someone, and harder still if it must show that ePHI was disclosed ‘outside’ of the covered entity,” stating “that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding.”
The court’s third basis for overturning HHS’s monetary penalties was the agency’s failure to “treat like cases alike.” Rejecting the ALJ’s and Departmental Appeals Board’s position that they were not bound to evaluate penalties on a comparative standard, the court pointed to widely disparate outcomes resulting from similar encryption-related incidents as demonstrating HHS’s arbitrary and capricious enforcement of the civil monetary penalties rules. Specifically, the court referenced examples of stolen, unencrypted laptops where HHS assessed no penalties against the responsible covered entity, as compared to the seven-figure penalty assessed against MD Anderson for the same conduct.
Finally, the court took issue with the amounts of the fines imposed upon M.D. Anderson. Although the relevant penalty statute caps penalties for this type of violation (a “reasonable cause” violation) at $100,000 per calendar year, HHS inexplicably determined the statutory cap to be $1.5M. The agency then proceeded to levy penalties in line with its misinterpretation of the applicable statutory caps, until it eventually identified its error and issued a “Notice of Enforcement Discretion Regarding HIPAA Civil Monetary Penalties.” The Fifth Circuit was plainly unimpressed with HHS’s odd miscalculations and subsequent enforcement discretion (along with the ALJ’s and Departmental Appeals’ Board’s acceptance thereof), finding that “[t]hose erroneous premises are particularly problematic because they tainted other parts of HHS’s decision.”
Beyond its harsh words for HHS, this opinion is notable for calling into question some longstanding HHS enforcement practices and interpretations of the HIPAA regulations. The court’s reading of the disclosure rule is particularly striking. The Fifth Circuit says that there is no disclosure of lost PHI unless someone outside of the organization actually received the PHI. The opinion also makes clear that regulated entities should check the math when HHS levies a fine. Although limited in its precedential authority, the Fifth Circuit’s opinion, at the very least, gives HIPAA-regulated entities some new food for thought if faced with an HHS enforcement action.